Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Cryptojacking Attack Found on Los Angeles Times Website

A security researcher found Coinhive code hidden on a Los Angeles Times’ webpage that was secretly using visitors’ devices to mine cryptocurrency.

Researchers said they found cryptojacking code hidden on the Los Angeles Times’ interactive Homicide Report webpage that was quietly harnessing visitors’ CPUs to mine Monero cryptocurrency.

The cryptojacking incident was found by Troy Mursch, a security researcher at Bad Packets Report, on Wednesday. He said the cryptominer has since been killed off. The cryptominer in question was made by Coinhive, a company that offers a Monero JavaScript miner to websites as a nontraditional way to monetize website content.

Coinhive’s JavaScript miner software is often used by hackers, who secretly embed the code into websites and then mine Monero currency by tapping the CPU processing power of site visitors’ phones, tablets and computers.

Mursch told Threatpost that in the case of the LA Times the miner was throttled so that it had a reduced impact on visitors’ CPUs and would be harder to detect. Typically, cryptojacking attacks are not throttled and use 100 percent of the target’s CPU. As a result victims can sometimes experience overheating of their phone or computer as their device gets bogged down by an over-taxed processor.

“Depending on the throttle amount, the impact [on visitors’ CPUs] can vary greatly,” Mursch told Threatpost. “In the case with the LA Times website, it was throttled so low the average user probably wouldn’t notice it running in the background.”

That method appeared to have worked and kept the code secret for awhile. Mursch estimates the cyptojacking JavaScript code was hidden on the website since at least Feb. 9.

Mursch said he found the code after investigating an LA Times’ Amazon AWS S3 storage bucket that was misconfigured and giving anyone – including criminal cyptocurrency miners – the ability to write code to the server and the Homicide Report website.

According to the security researcher, the Coinhive cryptomining software found on the LA Times’ websites has surreptitiously been used many times before both on UK and US government sites as well as other news publication sites. Earlier this week, vehicle maker Tesla reportedly fell victim to a cryptocurrency mining attack when misconfigured Amazon S3 buckets allowed criminals to plant cryptoming malware on the company’s cloud environment, according to researchers at RedLock.

“No one knows who this individual is, however Coinhive has claimed they terminated them,” said Mursch.

In order to prevent these types of incidents, Mursch recommended that companies properly secure their cloud services and set up some sort of monitoring for all their services.

“In the case of the LA Times and many others, the easiest prevention method is to ensure your cloud services, such as AWS, are properly secured,” he said. “In the LA Times case, it appears anyone could write to their AWS bucket which in turn led to the cryptojacking code being placed by miscreants.”

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.